Description
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
Published: 2026-02-16
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

SmarterMail versions before 9526 contain a cross‑site scripting vulnerability that can be triggered through malformed MAPI requests. The flaw, identified as CWE‑79, permits an attacker to inject arbitrary HTML or JavaScript into a user’s browser context, enabling defacement or session hijacking if the victim interacts with the injected content. The primary impact is on confidentiality and integrity of the authenticated user session rather than full remote code execution.

Affected Systems

SmarterTools SmarterMail products with versions earlier than 9526 are affected. The advisory lists SmarterTools as vendor and SmarterMail as product; no more detailed version range is specified beyond the mention of 9526 as the first fixed release.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, and the EPSS score of less than 1% shows a low predicted exploitation probability at present. The vulnerability is not listed in KEV. The attack vector is inferred to require an attacker’s ability to send specially crafted MAPI requests to the SmarterMail server, potentially exploiting exposed API endpoints or compromised credentials. The lack of explicit prerequisites suggests that the flaw is exploitable via network interfaces that allow MAPI traffic. The impact is limited to the victim’s browser session and does not provide arbitrary code execution on the server.

Generated by OpenCVE AI on April 17, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SmarterMail to version 9526 or later following the SmarterTools release notes.
  • Restrict MAPI traffic to trusted IP ranges or disable MAPI for external connections to reduce the attack surface.
  • Configure application‑layer firewall rules to block or sanitize injected content in HTTP responses to mitigate residual XSS risk.

Generated by OpenCVE AI on April 17, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Title XSS via MAPI Requests in SmarterMail Prior to 9526

Sun, 22 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Smartertools
Smartertools smartermail
Vendors & Products Smartertools
Smartertools smartermail

Mon, 16 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Smartertools Smartermail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-22T19:08:16.471Z

Reserved: 2026-02-16T16:27:14.790Z

Link: CVE-2026-26930

cve-icon Vulnrichment

Updated: 2026-02-22T19:08:16.471Z

cve-icon NVD

Status : Deferred

Published: 2026-02-16T17:18:08.813

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26930

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses